By Alicia Dale
Whether you are performing a security audit or troubleshooting an on-going issue, you will inevitably find yourself needing to look back at past point-in time logs. Are you already using a cloud storage provider to store your company’s data? Luckily, there are ways to revive your archived logs using the cloud provider that you’re already familiar with and your own observability suite.
Reviving log data from a previous point in time shouldn't be a hassle. In this article, we will show you some options for storing your log data where you can retrieve it on-demand. By storing some logs where you can still access them using archiving and retrieval methods, you can potentially reduce your current log retention policy and the upfront cost of data storage.
First, let’s take a look at the different options that are available so that you can see which one would best fit your storage needs.
Hot, Warm, and Cold Object Storage Buckets
Hot data is information that needs to be viewed quickly. It’s usually immediately searchable and can easily be analyzed in a few seconds. For example, when you create a search query in your Splunk Observability Suite that allows you to retrieve your organization’s logs, the query returns data quickly and efficiently, allowing you to gather the insights that you need to move forward. Data stored in this category will most likely cost you more than data stored in either warm or cold data tiers.
Warm data is stored in a location where it is not as easy to access as the hot data described above, but it’s also not as difficult to retrieve as the cold data described below. We’ll call this the “Goldilocks” storage option. A common example of a warm data storage option would be a data warehouse, where both historical and current data that is used for analysis and reporting can be stored in a single location.
Cold data storage buckets contain information that does not need to be accessed quickly, such as archived documents and data that is used infrequently. Retrieving data from cold storage will definitely be more difficult than running a query in your observability suite as you would to access your hot data. However, you won’t need to access your cold data nearly as frequently as your hot data. Common examples of data that is suitable for cold storage include records kept for financial, legal, or auditing purposes that you may only need to access once a year (or even less frequently).
Archiving and Restoring Your Logs
In order to restore your logs, you will first need to archive your existing logs. You may have a few different options for doing this based upon which observability suite you use. You will need to find a way to take your existing log data and store it in a location where it won't be affected by your current log retention policy. You can either migrate your data to a cloud provider’s storage bucket for archiving, or you can move it to a different index directory where it won’t be purged.
If you’re using Splunk, you can run one of the scripts below to archive your indexed data depending on which attributes you set. You can run either option 1 or option 2.
- In the indexes.conf file, set the coldtoFrozenDir attribute to equal the path where you want your frozen archive to live
- coldtoFrozenDir = <path to frozen archive>
- In the indexes.conf file, set your coldToFrozenScript, which will run prior to the indexer and prevent it from erasing the frozen data from the index.
- coldToFrozenScript = <path to program that run the script> <path to script>
To restore your log data using Splunk, you simply move it into your thawed directory. There, you can access the data for as long as you need and then delete it when you are finished with it. The data in which you are restoring in the thawed directory is not subject to the default index aging process flow (hot > warm > cold > frozen). The restored data will need a new name that can be picked up by the indexer.
Searching and Analyzing Your Logs
Now that your data has been archived and restored, you can easily search and analyze your logs just like you would your normal log data. Keep in mind that you will need to remember the name that you gave the retrieved data, because that will be how you will query it. Now, with Splunk Log Observer, you can narrow down your query to find the logs that you need for your finance team, an audit, or a troubleshooting exercise that you’re working on. No matter why you need them, your logs will be there and ready to analyze. There is no end to what you can do with your log data when you have the ability to archive, restore, and search it.
Logs are very important for every organization in order to get an overall view of your entire infrastructure. If you find yourself trying to look back into historical logs for your applications just know that you can always restore your logs from archives. Watch this demo and visit the Splunk Log Observer webpage to learn more.